A small demo project showing how GRC Engineering / SOX ITGC testing can be implemented with:
- Python for parsing + control logic + evidence generation
- SQL for repeatable, auditor-friendly control tests (SQLite)
This project uses synthetic sample data (no production systems).
src/run_access_control_tests.py- Parses CloudTrail-style IAM events
- Correlates to “approved access” list (simulating ServiceNow/Jira approvals)
- Flags exceptions (no approval, after-hours)
src/run_change_mgmt_tests.py- Tests “deployments must have approved change tickets”
- Flags deploy-before-approval and out-of-window deployments
src/run_data_integrity_tests.py- Reconciles source vs reporting totals and row counts
- Flags missing records, variances, duplicates, nulls
Each script produces:
output/*.csvevidenceoutput/*_metadata.jsonrun metadata (inputs, hashes, timestamps, counts)
sql/01_access_controls.sqlsql/02_change_management.sqlsql/03_data_integrity.sql
These run against a local SQLite database created by the Python scripts: output/sox_demo.db.
cd sox-demo
python -m venv .venv
source .venv/bin/activate # Windows: .venv\Scripts\activate
pip install -r requirements.txt
# Run all controls (creates output/sox_demo.db and evidence files)
python src/run_all.py